Ransomware: What is it, and how do you defend yourself against it? (Part 1)


This entry is part 5 of 6 in the series Computer Security Made Simple

In the past month or so, the topic of Ransomware has come up repeatedly in the news. And not just on the Tech-related sites, but the national and local news. With entire hospitals, universities, corporations, and even government agencies being forced to shut down, it has become a major issue. That’s not counting the untold numbers of individuals and families who are affected by ransomware each day. Most of the news articles have focused on one method of attack (called a vector)–email. But there are other ways to become infected. In fact, the last two (WannaCry and “NotPetya”) used other methods to infect systems and networks.

Most of the journalists do a pretty good job of explaining what it did, but not so much how or why it did it. And if you start digging into the deeper details, you’re faced with technical jargon like “Master Boot Record”, “Master File Table”, and “Bootloader” along with gibberish like 0x56 or 0x34 (both of which refer to locations on your physical hard drive). They expect you to have some idea of what these things are, and don’t exactly explain what’s happening in a way that laymen will understand. That’s what I am trying to accomplish here.

This will be a multipart article as part of the series “Computer Security Made Simple”, so in essence a series within a series. Here we go…

Definition of Terms:

Before we dig into what ransomware is, I’m going to define a few terms.

Malwaremalicious software. This is software that’s designed to perform malicious actions (like stealing your data, transmitting your login information to someone else, destroying your data, or using your computer to commit acts against other computers–botnet or zombie computers).

Master Boot Record – On your hard drive, you have a series of circles (tracks) and each one is divided into sections (sectors). The Master Boot Record tells the computer how the drive is laid out (partitions) and contains executable code that points to the bootloader–which starts the process of booting your operating systems. It’s located at track 0, sector 0.

Master File Table – On NTFS formatted drives, the MFT tells the operating system where to find the first piece of each file and directory on the drive. It also puts a flag on sections of the drive that are bad so the operating system doesn’t use them. It stores all of the metadata about each file or directory (think artist name, album name, and track number for a song). In an NTFS system, you have two MFT’s (one is a backup of the other).

Bootloader – The bootloader handles the actual starting of the operating system. When you first turn the computer on, the motherboard runs a series of tests to make sure it’s functioning correctly (Power-On-Self-Test). You hear a single beep, which means it passed. Then it looks in the master boot record for the code to start the Operating System. The code in the MBR points to the second stage of code, which either boots the operating system, or presents you with a series of options (if you have multiple operating systems, or you were pressing F8 when you started the computer). The second stage points to the location of the kernel (think the brain) of the OS and loads that up. From there, the kernel takes over and you have your Operating System. The first two stages are considered the bootloader. After that, it’s part of the Operating System.

encryption (or encrypted) – Encryption is the process of hiding the contents of a file. Think secret codes, because that’s typically what the encryption is used for. You take some text like this: “Hello there.” and scramble it, so it looks like “HW3DGELS;DJEPSZXW'”. This is done using a password or key. If you have the key, you can decrypt the gibberish and read the file. If not, you can try to crack it. Of course, depending on the type of encryption and strength of the key used, it could take a few million years to crack. Better make some lunch.

Bitcoin – Bitcoin (or LiteCoin, Ether, Moreno, or Scrypt) is a type of virtual currency. There are exchanges where you can convert real money into bitcoins and vice versa. Because it’s a virtual currency, it’s harder (or almost impossible) to trace. Which is why hackers use it. Even some legitimate sites are accepting bitcoins and other forms as payment now.

Trojan (Trojan Horse) – This is a special type of malware (virus) that is attached to another file. So, let’s say you download a mp3 or a pdf file. The attacker attaches the executable code (the trojan) to the file. So when you open it, the code executes and installs the virus. Then, depending on how the attacker sets things up, the actual file opens.

Worm – Like a trojan, this is a special type of malware. It actively scans the Internet for computers that have certain ports open. Think of ports as doors in your house. When it finds the port it wants, it tries to use vulnerabilities (weaknesses that allow something to be done that shouldn’t) to install the malware. Then your computer starts looking for open ports to spread the malware (both on your local network and the Internet), and the process is repeated. The biggest difference between a worm and a trojan is that with a trojan you have to physically do something to get infected (visit a site, open a file, etc) and with a worm, you don’t have to do anything (except maybe not install the security updates for your Operating System). You just have to be online.

Now that we have the terms out of the way, let’s dig into what Ransomware is.

In short, ransomware is a type of malware that encrypts your files and programs (but leaves the Operating System files alone so it can run) and presents you with a ransom note on your screen. They ask you to send bitcoins to a specific address (wallet) with the promise to send you the decryption key for your data. If you pay the ransom right away, they send you a link to either a file that decrypts your data or the key itself. If you hold off on paying the ransom, in some cases they raise the price, and in other cases, they delete the decryption key (thus making your data irrecoverable). One problem is that as soon as security researchers figure out the information (either the wallet, email address used by the attackers, or the server’s domain name), they shut it down. If you try to pay the ransom after that, you won’t receive anything for your trouble. We’re talking a matter of hours, days or weeks at the latest. Another problem is, do you know what else the attackers have done? How do you know that the ransomware (or the decryption program) didn’t install a keylogger or some other form of malware on your computer too?

In tomorrow’s post, I’ll dig a little deeper into the tech behind what ransomware does.

Series Navigation<< Brute Force Attacks: What are They, and How Do I Prevent Them?

Leave a comment

Your email address will not be published. Required fields are marked *